Re: Avoiding natd overhead

В сб, 21/10/2006 в 16:08 -0600, Brett Glass пишет:
At 03:54 AM 10/21/2006, Vladimir Grebenschikov wrote:

1. use PF for nat - it does aliasing in kernel space

True, but it doesn't let me translate the packets and
then continue processing within the firewall -- which
is necessary if you want to catch unregistered destination
addresses BEFORE translation and then unregistered source
addresses AFTER translation.

2. use in-kernel libalias implementation
(I guess man-page for ng_nat(4) will help)

Same problem. I don't know how I could send packets
through a Netgraph node in the middle of processing
by IPFW and then bring them back at the next rule.

Some years ago, I've managed to use ksocket interface to catch divert
packets from ipfw and even return them back (surprisingly it did support
divert AF).

But, be careful, it is easy to get infinite loop in kernel with this
technique. Probably some loop prevention appears in from these times,
but I am not sure.

I suppose that one solution might be, for lack of a
better term, a "kernel divert socket," which would
pass packets through a kernel module rather than a
user process. (This could actually be used to speed
up many things for which the current "userland"
divert sockets are now used.) It would then be
possible to make a "nat.ko" module, and either
provide a utility to control it or roll that
functionality into ipfw(8).

--Brett

--
Vladimir B. Grebenschikov
vova@xxxxxxx
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Avoiding natd overhead
    ... On 10/22/06, Vladimir Grebenschikov wrote: ... > addresses BEFORE translation and then unregistered source ... I don't know how I could send packets ... > better term, a "kernel divert socket," which would ...
    (freebsd-net)
  • Re: Avoiding natd overhead
    ... is necessary if you want to catch unregistered destination ... addresses BEFORE translation and then unregistered source ... I don't know how I could send packets ...
    (freebsd-net)
  • Re: freeBSD /ipfw/ divert socket
    ... I need a little help with FreeBSD Kernel stuff. ... when no application is reading at divert socket. ... Speaking from experience, it would be trivial to borrow sys/netgraph/ng_tee.c and modify it to pass packets through the left2right and right2left hooks when the hooks are connected, and pass packets directly right or left when the left2right and right2left hooks aren't connected. ...
    (freebsd-net)
  • Re: Linux v Dedicated NAT routers - secure remote differences
    ... > NAT After IPSec ... > one-to-one address translation occurs it will ... I don't think this is the case - it was reported to me that my packets had ... This scenario is possible because ESP does not use the IP ...
    (comp.security.firewalls)
  • Re: Changing TOS of forwarded packets?
    ... use ipfw to send sessions that match to a divert socket at port X. ... (he's looking at ethernet packets where you would be looking at IP ... My little goodie is a netgraph node for packet mangling in its ...
    (freebsd-net)